Dropbox, the popular file hosting service that has managed to amass over 100 million users in the five years since it was launched, has had its fair share of problems: security glitches, hacks, being used as a malware hosting site, etc.

The latest one are two researchers that not only managed to reverse engineer (unpack, decrypt and decompile) the Dropbox client software (i.e. desktop app), but have documented the step-by-step process and have made it public via a paper they presented at the recently concluded USENIX Security Symposium.

In it they presented new techniques to reverse engineer frozen Python applications such as (but not limited to) the Dropbox client, to intercept SSL traffic from its servers, and a method they used to bypass Dropbox’s two factor authentication and hijack Dropbox accounts.

"Once you have the decompiled the source-code, it is possible to study how Dropbox works in detail," they noted, adding that their work reveals the internal API used by the Dropbox client, which should make it easy for others in the security community to write an open-source Dropbox client.

Despite the fact that Dropbox' developers are doing a good job at patching the vulnerabilities they misused to perform their attacks, they pointed out that they do not believe that the anti-reverse engineering measures the developers deploy are beneficial for Dropbox users and for Dropbox.

"Most of the Dropbox’s 'secret sauce' is on the server side which is already well protected," they say, and point out that users should be able to know the insides and trust the software they use, especially if they entrust it with their data.

UPDATE:
"We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client," a Dropbox spokesperson commented the matter.

"In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board."

Spotlight

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

As ISPs, hosting providers and online enterprises around the world continue suffering the effects of DDoS attacks, often the discussions that follow are, “What is the best way to defend our networks and our customers against an attack?”

The code redirects visitors to another URL where the Fiesta exploit kit is hosted, which then tries to detect and exploit several vulnerabilities in various software. If it succeeds, the visitors are saddled with a banking Trojan.

Looking for an Android-based tablet for your child but don't know which one to choose? If you are concerned about the device's protection against random hackers, Bluebox Security has just released a review of the nine most popular Android tablet models aimed specifically at children.